The first couple of DNS call are as expected for Tinba’s DGA: the connectivity check (to google.com), the DNS call for the seed domain (blackfreeqazyio.cc), and then the generated domains nvfowikhevmy.com, sjhuqlwrqhqx.com and pxqgonyogeee.com. The last three domains are generated with the seed jc74FlUna852Ji9o.

What separates this sample from other Tinba samples is the additional check of top level domains other than .com. For instance:

oqxvkgnpxhyi.com
oqxvkgnpxhyi.net
oqxvkgnpxhyi.in
oqxvkgnpxhyi.ru

The four top level domains are hardcoded eight bytes apart:

The offset [ebx+4069C8h] references the start of the above content, i.e., offset 0x1659A4. The following lines of the Tinba sample use this data to make the additional DNS queries:

Line 0x162C82 adds the dot to the second level domains (in edi), lines 0x162C8B to 0x162C8E append the 8 characters containing com and the null terminator. If the call to gethostbyname (offset 0x162C99) does not return an IP, the pointer edi is reset 8 characters (offset 0x162CA), such that it again points at the start of the top level domain. The pointer esi now points to 0x1659AC, i.e., net\0….. Again 8 bytes are copied from esi to edi, overwriting com with net. These steps are repeated for .in and .ru in case the DNS queries fail.

If a domain returns an IP, the remaining top level domains are skipped; even if the IP turns out to be an invalid C&C-server. This is why you only see a check for nvfowikhevmy.com and not the other three top level domains in the malwr.com analysis. The Sophos sandbox supposedly resolves all DNS query, thereby skipping all queries to the top level domains .net, .in and .ruin this analysis.

In view of using four instead of just one top level domain, the Tinba sample only generates 100 different second level domains instead of 1000. The following pseudo-code summarizes the callback loop.